If you use Plex — the slick little app that turns a dusty hard drive into a streaming service for your living room — you probably woke up today to an email asking you to do the thing every tech company asks when something goes wrong: change your password. This isn’t a routine nudge. Plex says an “unauthorized third party” accessed one of its databases and read a limited set of account details, including email addresses, usernames and securely hashed passwords. The company is asking affected users to reset passwords, sign out connected devices, and turn on two-factor authentication (2FA).

Déjà vu for Plex users

For anyone who remembers the 2022 incident (and the forum breaches before that), this will feel uncomfortably familiar. Plex has had to tell users to reset passwords before — and that history makes today’s notice sting a bit more. That earlier episode saw similar account details exposed and left a lot of folks asking whether anything meaningful had changed on Plex’s security front since then.

What Plex says (and what that actually means)

Plex’s notice, posted on its forum and sent by email, says an “unauthorized third party” got into a database and that the data included emails, usernames and securely hashed passwords. Plex also stresses it doesn’t store customers’ credit card data on its servers, so payment details weren’t part of the leak. The company says it contained the incident and fixed the access vector, and it’s conducting additional security reviews.

“Securely hashed” is not the same as “stolen in plaintext.” Hashing is a one-way transform that makes raw passwords unreadable, and good hashing practices include salts and slow algorithms that make cracking expensive. That’s why Plex is not saying the attacker grabbed plain passwords. But hashed passwords still have value to attackers — if a password is weak, or if a user reused the same password across sites, a determined attacker can crack hashes offline or try those credentials on other services. In short, hashed is better than plaintext, but it is not a free pass to ignore the warning.

Exactly what you should do (right now)

Plex’s ask is straightforward. Do these three things immediately:

1. Reset your Plex password at https://plex.tv/reset. When you do, check the box that signs out connected devices — that will force any already-logged sessions (including your Plex Media Server instances you run at home) to require the new password. Yes, it’ll be mildly annoying — but that’s the point.
2. Enable two-factor authentication on your Plex account. Plex documents how to enable 2FA on your account page; once enabled, logins will require a short time-based code in addition to your password. This blocks a lot of common account takeover attempts.
3. If you reuse passwords anywhere, change them there, too. Attackers often test breached credentials on other services. Adopt unique, strong passwords and use a password manager if you don’t already. For an extra check, you can paste your email into services like Have I Been Pwned to see whether it has appeared in prior breaches.

A few practical notes for Plex server owners

If you run a Plex Media Server at home, the “sign out connected devices” option will sign out whatever devices are currently authenticated — that includes clients and server sessions. Expect to re-authenticate apps and possibly re-enter tokens for companion apps or integrations that don’t support 2FA. If you manage shared libraries for friends and family, give them a heads-up: they’ll need to sign back in after you reset your account. Plex’s support pages and forum thread for this notice are where the company’s official instructions live.

Don’t fall for the follow-on scams

Breaches are also magnets for phishing. Plex explicitly reminded customers that they will never ask for your password or credit card over email, and attackers will try to imitate urgent notices to trick people into handing over credentials. If you get an email telling you to click a strange link or call a number, don’t. Go straight to plex.tv (type it into your browser) or the official support site; don’t follow links in unsolicited messages.

Why incidents like this keep happening

There’s no single, simple answer, but a few patterns repeat across breaches: legacy systems and forgotten access paths, credential stuffing (reused passwords), stolen third-party credentials, and vulnerabilities in tooling that companies rely on. Plex says it “addressed the method” the attacker used and is hardening systems — but for users, the best defence is good credential hygiene (unique passwords + 2FA) and a little skepticism about urgent messages. Security teams can and should keep patching and auditing, but the last line of defence is often the account holder.

If you want to be cautious (extra steps)

• Use a password manager to generate and store unique passwords.
• Turn on 2FA everywhere it’s available, not just Plex.
• Check your email with a breach-watcher such as Have I Been Pwned and sign up for alerts.

Plex’s message is short and sensible: some account data was exposed; passwords were hashed; reset yours; enable 2FA; sign out connected devices. If you think about the risk realistically, the main danger isn’t that Plex stores your credit card number or private messages — the danger is password reuse. If you use the same password on other sites (banking, email, shopping), start changing them now. The fix is boring, but effective: new passwords, unique passwords, and two-factor authentication.